Fast Flux Networks Working and Detection, Part 2

Ethical Hacking Training

Our students have the highest exam pass rate in the industry!

Skillset

With the assumption that readers have read Part 1 of this topic, this article will contain the other part of this article, i.e. what benefits an attacker gets from flux networks, why it is difficult to detect flux networks in your environments, and recommended ways to detect a fast flux network.

How is Flux Advantageous for an Attacker?

The fast flux attack is a simple attack to conduct with high returns. Below are some of the advantages that fast flux networks, because of their design, offer to attackers:

Limited Audit Trails: Since a flux network provides proxy redirection layer front-end nodes, the design offers a layer of protection for any investigation to take place. Even when backtracking, investigations will only yield a handful of IPs relative to frond end nodes of a fast flux network.

Ease of operation: Attack buildup, because of its simple design, requires only one main node to host and serve DNS information. URLs point to front end proxy redirectors, which then transparently redirect client connection requests to the actual malicious back end server or servers. Because of this, now only a few servers are required to host malware sites.

Support for main nodes: because of the design, fast flux service networks extend the operational lifespan of the critical backend core servers that are hidden by the front-end nodes. Since a protection layer is put forward in the main node, it will take much longer to identify and shut down these core backend servers due to the multiple layers of redirection.

Why is Detection of Fast Flux Difficult?

Detecting a fast flux network from a legitimate server network is like separating milk from water, as fast flux networks are very difficult to detect and shut down. Consider the following:

For single flux networks, the only change in IP address is that of the target site. Fast flux service networks usually have several thousand A records for the same domain name. The TTL value for every A record is much less, thereby prompting DNS resolvers to query in short succession. This seems simple to detect by examining rapidly changing DNS records, but various load balancers today provide this kind of configuration in order to serve the client request fast. The detection of domain names being served by a fast flux service network depends upon multiple analytical passes over DNS query results, with increasing flux detection accuracy gained by employing a scoring mechanism to evaluate multiple relatively short-lived DNS records, taking into account the number of A records returned per query, the number of NS records returned, the diversity of unrelated networks represented, and the presence of broadband or dialup networks in every result set.

For double flux, both the NS Records as well as the A records change rapidly. The NS servers are a list of compromised machines having a back-end control to the attacker, thus they provide extra layer of protection for attacker to work without detection. Detecting double flux is twice as difficult as detecting single flux.

How to Detect Fast Flux

Having said that, and with techniques still being researched today, below are some of the suggested techniques to detect fast flux networks. It should be noted that entities that are covered for detection of fast flux networks covers ISP, domain registrars, service providers, etc.

Analyzing of TTLs with the result sets per domain from multiple successive TTL expiration periods can work in identifying the use of fast flux service networks.

ISPs should set up policies to block access to controller infrastructure and must enable blocking of port TCP 80 and UDP 53 into user land networks.

ISPs should create awareness among the linked up service providers about the threat, shared processes, etc.

Domain registrars should do a proper auditing and fine tune the response procedures in order to identify any domain registration for any fraudulent purposes.

Service providers must start logging DNS queries in the network. The scope can be lessened to only outbound DNS queries, and a proper monitoring team should be active 24/7 for analyzing the DNS queries. Some events to look out for, as discussed earlier, events that return A records with a TTL value of less than 1800 seconds. Teams should also ensure that enough information is getting received in the logs, such as domain name, A records, and NS records, for proper analysis.

The security team can also map the IP address related to DNS query response with a TTL of less than 1800 seconds with ASN records, as correlating with ASN records can effectively filter out false positives for fast flux.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

5 × = 25

About InfoSec

At Infosec, we believe knowledge is the most powerful tool in the fight against cybercrime. We provide the best certification and skills development training for IT and security professionals, as well as employee security awareness training and phishing simulations. Learn more at infosecinstitute.com.

Connect with us

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam